I have a network like this:
Code:
Internet <===> Modem/Router <---------> Switch
1.2.3.4 192.168.1.1/24 | | |
| | |
+-----+ | +------+
| | |
PC_2 | PC_3
192.168.1.3/24 | 192.168.1.4/24
|
PC_1
192.168.1.2/24
/|\
WLAN
/ | \
PC_W1 PC_W2 PC_W3
192.168.1.X/24 (X>10)
Modem/Router act as DHCP server too. Any request sent on public IP 1.2.3.4 is redirected to 192.168.1.2 on internal network. Modem/Router belong to ISP and I can't access/configure it. PC 1 is a linux box: eth0 and wlan0 are bridged (enslaved to br0 with address 192.168.1.2); hostapd is running on PC 1 sharing internet connection with PC WX. I want to redirect connections to some ports on PC 1 toward PCs on the same net, eg:
1.2.3.4:2222 > 192.168.1.2:2222 -> 192.168.1.3:22
1.2.3.4:3333 > 192.168.1.2:3333 -> 192.168.1.4:25
I tried using iptables and enabling ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -d 192.168.1.2 -p tcp --dport 2222 -j DNAT --to 192.168.1.3:22
iptables -t nat -A POSTROUTING -d 192.168.1.3 -p tcp --dport 22 -j SNAT --to-source 192.168.1.2
and so on for others ports, but it didn't work. I discovered that redirections toward any other PC connected via WLAN works fine. It seems that, using iptables PREROUTING rule in conjunction with a bridge, once a packet has entered the bridge from one side (eth0), it can only flow to the other side (wlan0), but can't go out throw the same input interface. The arrangement described above works fine when the bridge is disabled, but I dont't want to use PC 1 as a router but as AP only.
Can someone help me?